Developer Network

« Back to CVP - All Versions

Two step (mutual authentication) SSL - CVP/Tomcat - 403 response

Combination View

Jason Jackson Posts: 12 Join Date: 6/2/10 Recent Posts	Two step (mutual authentication) SSL - CVP/Tomcat - 403 response Answer 8/7/12 4:16 PM Mark as an Answer Submit Reply with Quote Quick Reply Hi everyone. I'm in the process of helping our application developers figure out an issue. In summary: We have an application that lives on the vxml app server (tomcat). This application is required to hit a webservice from a third party using https. We are required to use SSL obvisouly and we are also required to present a .pfx (digitl certificate) when challenged. We have the digital cert and all the certificate chains loaded up properly (at least I think we do). I can do a list on the keystore and see my personal key entry and the cert chains. A packet capture proves we get the SSL handshake started but when challenged for the cert I don't think tomcat knows what to do or which certificate to present to the third party. This writes an error out in the STD out log in the Tomcat folder complaining about a 403 failure. Which it's probably a 403.4 or 403.7 (SSL required) error. I've loaded the certs up in the windows key store and can hit the same URL from the IE browser. IE prompts me to select the cert I want to use when challenged and then SSL starts and I can see the data from the webservice. So - is two step or mutual SSL even possible on CVP (tomcat) version 8.5.1(ES4)? If so, is there any other way to debug SSL and figure out why tomcat can't or does not present the correct cert? Thanks in advance, Jason
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Hemal Mehta Posts: 525 Join Date: 11/27/08 Recent Posts	RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response Answer 8/7/12 6:39 PM as a reply to Jason Jackson. Mark as an Answer Submit Reply with Quote Quick Reply What are the commands you used to import the security certs into tomcat. Did you import a .cer ?
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Jason Jackson Posts: 12 Join Date: 6/2/10 Recent Posts	RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response Answer 8/7/12 8:39 PM as a reply to Hemal Mehta. Mark as an Answer Submit Reply with Quote Quick Reply What are the commands you used to import the security certs into tomcat. Did you import a .cer ? Hi. We were issued a .pfx file. In that file is the private key, and the certificate chain. We point our keytore to a specific keystore using the java options in the tomcat confing. Here is the command I used to import the file: keytool -importkeystore -srckeystore C:\mycert.pfx -srcstoretype PKCS12 -destkeystore C:\cvp.keystore Everything seemed to work with the keytool. I can do a list on the keystore and the private key entry is there.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Hemal Mehta Posts: 525 Join Date: 11/27/08 Recent Posts	RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response Answer 8/8/12 2:12 PM as a reply to Jason Jackson. Mark as an Answer Submit Reply with Quote Quick Reply Did you import the root certificate also. I do this all the time. I mainly work with .cer though I store it on cacerts. Can you make sure and check the certs using the command: C:\Cisco\CVP\jre1.6\lib\security>C:\Cisco\CVP\jre1.6\bin\keytool -list -v -keyst ore cacerts replace it with your dir and keystore
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Jason Jackson Posts: 12 Join Date: 6/2/10 Recent Posts	RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response Answer 8/8/12 7:31 PM as a reply to Hemal Mehta. Mark as an Answer Submit Reply with Quote Quick Reply Did you import the root certificate also. I do this all the time. I mainly work with .cer though I store it on cacerts. Can you make sure and check the certs using the command: C:\Cisco\CVP\jre1.6\lib\security>C:\Cisco\CVP\jre1.6\bin\keytool -list -v -keyst ore cacerts replace it with your dir and keystore Hi. Yes, the list command shows all the certs and no issues. I actually just got word back from Cisco TAC that mutual SSL is not even supported on tomcat/cvp 8.5(1) ES4 yet. I'm not sure I buy that answer yet but I will keep digging.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Jason Jackson Posts: 12 Join Date: 6/2/10 Recent Posts	RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response Answer 8/17/12 3:54 PM as a reply to Jason Jackson. Mark as an Answer Submit Reply with Quote Quick Reply Did you import the root certificate also. I do this all the time. I mainly work with .cer though I store it on cacerts. Can you make sure and check the certs using the command: C:\Cisco\CVP\jre1.6\lib\security>C:\Cisco\CVP\jre1.6\bin\keytool -list -v -keyst ore cacerts replace it with your dir and keystore Hi. Yes, the list command shows all the certs and no issues. I actually just got word back from Cisco TAC that mutual SSL is not even supported on tomcat/cvp 8.5(1) ES4 yet. I'm not sure I buy that answer yet but I will keep digging. Last update on this: Turns out that CVP/TOMCAT will not do this internally but we were told it can be done from the application perspective with java. Developers are still researching how to make that actually work. If anyone has any code snippets I can send over that would be great.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top